Privacy and Data Protection Policy – Wheelers ePlatform
Wheelers ePlatform is committed to safeguarding your privacy. We will only use the information that we collect about you lawfully.
This Policy describes how we treat personal data.
Who we are
Wheelers ePlatform is provided by: Wheeler’s Book Club Ltd (NZ). Our company registration number is 19128107258. Email: firstname.lastname@example.org . We are a service provider to Schools, Colleges and Libraries.
Purpose and scope of this Policy
The Policy is designed to provide an overview of how data protection is managed in the Wheelers Group. It sets out the following:
- Data protection policy and objectives
- The data protection framework
- Legal compliance, including the requirements of the EU General Data Protection Regulation (GDPR)
This Policy is intended for circulation to Wheeler’s customers, suppliers and other interested parties.
POLICY, OBJECTIVES AND SCOPE
The objectives of the Policy are to:
- Communicate Wheeler’s Data Protection commitment to employees, customers and other third parties;
- Summarise how Wheeler’s approach to data protection management is designed to be compliant with data protection legislation;
- Summarise governance arrangements for data protection management.
The scope of the Policy covers:
- All personal data collected and / or processed by Wheelers in the conduct of its business, in any format;
- All products and services developed and provided by Wheelers
- All Wheelers staff.
DATA PROTECTION FRAMEWORK
Wheelers as Data Controller
Wheelers acts as a data controller for the following categories of data subjects:
- Former employees
- Individuals who form part of our advertisement campaigns
- Prospective employees
Wheelers as Data Processor
Wheelers, and its associated companies and divisions, acts as a data processor with regard to the processing of personal data for the following categories of data subjects:
- Persons who work or volunteer for organisations that buy products or services from Wheelers
- Students/patrons: where Wheelers processes their data in order to provide services to the data controller (educational establishment customer or library)
- Individual consumer customers
- Education Establishment customers who require Wheelers to process personal data in order to deliver the services
- Staff working for organisations
Wheelers enacts its obligations as a data processor with regard to:
- Legal requirements
- The Terms & Conditions of its products and services
Wheelers reflects legal requirements relating to consent in the following ways:
- How consent is obtained, recorded and managed in its customer-facing systems
- Data retention and deletion procedures
- Terms & Conditions for products and services
In accordance with data protection legislation, Wheelers recognises that data subjects have specific rights that must be protected and observed.
Right to be informed
Wheelers provides employees, customers and other third parties with information about how personal data is collected, processed and managed. Wheelers seeks to provide this information in language that is clear, concise and intelligible. This information is intended to be easily accessible for internal and external users.
Right of access
Wheelers provides data subjects with access to the personal data that it manages as a data controller. Data subjects for whom Wheelers is not the data controller but may process their personal data, should contact the data controller directly when requesting such access.
Right to rectification
Wheelers recognises the right of individuals to have inaccurate or incomplete data to be amended. Wheelers employees should initially make a rectification request to Wheeler’s Human Resources department. Data subjects for whom Wheelers is not the data controller, should – in the first instance – contact the data controller when making a data rectification request. Queries or complaints should be made to email@example.com
Right to erasure
Wheelers recognises the right of individuals to request for their data to be deleted or removed where there is no compelling reason for its continued processing. Wheelers will, in all cases, follow any guidance provided by relevant authorites (such as the Office of the Privacy Commissioner (NZ) and the UK Independent Commissioner’s Office (ICO)) on how and when such a request should be observed.
Wheelers maintains a data retention schedule so that personal data is not retained for longer than is necessary with regard to the purpose for which the data was originally collected. This may include logging data that is temporarily retained for diagnostic purposes. However, some personal data may be required to be retained in order to observe other legal or regulatory obligations. In addition, in line with the ICO’s guidance on the constraints that exist when deleting data retained in digital back-ups, Wheelers will seek to place such back-ups beyond effective use.
Right to data portability
Where the right of portability applies, as defined by the ICO, Wheelers will provide data in a form that is structured, commonly used and in a machine readable form. In most cases, this will be the CSV format.
Wheelers regards data security a critical component of data protection compliance.
A wide range of technical controls are used to protect data, including but not limited to:
- Data encryption
- Anti-virus and anti-malware software
- Network monitoring
- Access management
- Vulnerability scanning and penetration testing
- Asset management
A wide range of non-technical controls are used, including but not limited to:
- Physical security controls at Wheeler’s offices
- Security policies, including Data Classification & Handling, Data Protection, etc
- Security training
The implementation of such controls may vary between specific products and services.
All security incidents are logged on an internal security incident management system. They are reviewed and evaluated by a member of the security management team.
A security incident that involves personal data will initially be categorised as a Potential Data Protection Incident. If it is determined that a data breach has indeed occurred, this will trigger a formal Data Breach procedure.
If a data breach relates to employee data, Wheelers will inform the relevant authority in accordance with published guidance.
If the data breach relates to customer or supplier data, Wheelers will notify the relevant data controller.
Data we receive
Logging in to the school/library lending platform is managed through a variety of authentication methods including LDAP, SAML SSO, SIP2, OpenID and FTP. In a number of these cases the school/library we are contracted with, send user/patron data that will enable this authentication to occur accurately. Any personal data that is sent, is managed by the school/library itself. The school/library is the data controller and Wheelers is the Data Processor.
The data we receive on library/school patrons may include:
- Year level, for restricting access of certain titles to certain age groups
- Birthdate, if year level is not chosen by the school
- Name, if barcode is not chosen by the school.
- Email, used to notify availability of a title that has been reserved.
Legal Basis for Processing Data
The legal basis for Wheelers processing personal data varies according to the nature of the activity being undertaken:
- Consent of the data subject, e.g. consent to receipt of marketing information
- Necessary for the performance of a contract, e.g. storing of employee and basic student/patron data
- Processing for compliance with a legal obligation, e.g. retention of some employee data
- For the purposes of legitimate interests, e.g. direct marketing
Who we share information with
We share personal data with our Library customers, group companies and suppliers as necessary to run our business. For example, our parent company provides us with hosting, and helps us to fulfil loan requests.
Cookies are small text files stored in your device’s cache by our servers.
Our website sets some cookies itself to remember your choices and help the site to function.
POLICY RELEVANT TO UK (and other EU) DATA SUBJECTS
Transfer of personal data to a country outside the EEA
Wheelers is a global organisation, with its head office in New Zealand and its wholly owned development subsidiary in Malaysia. Our data and databases are hosted by Microsoft Azure.
Your personal data may be accessed by designated staff operating outside the European Economic Area ("EEA") who work for us. Such staff maybe engaged in, among other things, development work on the software/platform and the provision of support services. By submitting your personal information, you agree to Wheelers transferring, storing and processing your personal information outside the EEA.
In compliance with Chapter V of the GDPR, Wheelers has provided adequate safeguards to the transfer of personal data, with individual rights enforceable between Wheelers entities.
However, if you do not agree to this procedure you should not use our services.
Legal Compliance - Applicable Legislation
The following legislation is relevant to data protection legal compliance for UK data subjects:
- Data Protection Act 1998
- General Data Protection Regulation (GDPR)
- Privacy and Electronic Communications Regulations (PECR) 2015
- Investigatory Powers Act 2016
- The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
- Protection of Freedoms Act 2012
Wheelers uses the following definition of personal data.
"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Source :GDPR, Rec.26; Art.4(1)
Wheelers uses the following definition for the term “data controller”:
- “A controller determines the purposes and means of processing personal data.” (ICO)
- "Controller" means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller may be designated by those laws.
Source :GDPR, Art.2(d)
Wheelers uses the following definition for the term “data processor”:
- “A processor is responsible for processing personal data on behalf of a controller.” (ICO)
- "Processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.”
Source :GDPR, Art.2(e)
UPDATES TO THIS POLICY
Click here to see our GDPR Terms.